This tool is inspired by the show "Stranger Things".
There are spoilers, so, if you want to watch the show, read no further.
You were warned. :-)
First some background. If you haven't seen the show.
In the show, an alternate reality, called the Upside Down is introduced. Think of this as an overlay to the real world, same infrastructure and objects, but unseen, and inhabited with monsters.
"The Upside Down is an alternate reality or dimension existing in parallel to the human world. It contains the same locations and infrastructure as the human world, but it is much darker, colder, foggier..."
In one of the scenes, they discuss the Vale of Shadows from a D&D book...
"The Vale of Shadows is a dimension that is a dark reflection, or echo, of our world. It is a place of decay and death, a plane out of phase, a [place] with monsters. It is right next to you and you don’t even see it..."
Over the summer, I took some time off to reflect and think about things... While binge watching the show, I was inspired to think about Apex actors. :-). The result was a show inspired tool I wrote.
By Apex actors, I mean those actors that are untouchable so to speak. Think of apex predators in the natural world. These are the animals at the top of the food-chain...
Ok. So the question becomes, if we are really into "Adversarial Emulation", how can we mimic the actions of these actors. What exactly are Apex actors capable of?
Here would be a short list of what I would consider examples of Apex actor capabilities:
- Remote Privilege Escalation
- DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis
- Digging deep for PLATINUM
So, while you may think your Red Team operates like an Apex actor, you probably do not.
If you are honest, you probably operate/emulate something like cyber criminal capabilities.
So, what is the point of this post?
Over my time off this summer, I spent a fair amount of time exploring the idea of releasing a set of tools/capabilities to be able to emulate an Apex actor.
I wanted to build something that would give teams the ability to step up their game. I want limited distribution to keep the "mystique" and to not to be a commodity tool.
I wanted to something to allow Red Teams to operate from the "Upside Down" ;-).
The Upside Down being a Stranger Things reference to being able to operate from an "undetectable dimension", and interact with the actual infrastructure of an organization.
Geeky? Yes. Possible? Absolutely.
I developed a tool, I'm calling Demogorgon:
"What’s a Demogorgon? Why were they so afraid to face it in battle? Demogorgon is none other than the Prince of Demons, and has been an iconic D&D creature since 1975, along with Orcus, his chief rival and enemy. You can find a short description of Demogorgon in the 5th edition Monster Manual under the Demon Lords section (pgs. 51-52), and a brief mention in the 5th edition Dungeon Master’s Guide in The Abyss section (pg. 62)." 
I will first share some of my architectural decisions and capabilities that I built into the tool. The idea was to be a "rootkit-like thing". Rootkits are interesting, in that they want to run, they want to hide. Some traditional rootkit capabilities just aren't always necessary, and will likely get you caught by modern Operating System defenses.
Some things I've added include:
- Novel execution, migration and repair capabilities. (The Flea)
- Detailed logging and reporting from Red Team use.
- Modules delivered as keyed byte arrays. Minimize PE structures, RWX regions etc... (Inspired by Ebowla )
Do we really need a new tool? Maybe, if you don't think so, don't use it... Its not going to be for everyone anyway. I wanted to learn some advanced tactics. I wanted to push past modern detections and advance defender detection capabilities.
I intend limited distribution to friends and family. Once I've got the bugs worked out, I'll distribute to a wider audience, maybe. I intend to limit distribution. Maybe it will only be available west of the Mississippi :-) .
This tool is not meant to compete with tools like Empire, Cobalt Strike, or Metasploit. From host based to network based, many organizations are prepared for and have strong detection capabilities for these tools.
These are all still highly effective tools, but they often have strong signatures and detections built around them.
If all goes well, the final development will be ready for October 31st release.
Thats it, just a sneak peak of stranger things to come.
The idea behind Demogorgon, is to give Blue Teams a chance to face their nightmare, something they have never seen before, and something that they can't see.
Feel free to DM if you want to be added to the list of technical reviewers.